Client Guide

Audit punch list

What a CAB auditor would find if they walked in today. Every control is bucketed by how it would fail, and each finding comes with one prescriptive action button — no more guessing what to fix next.

Three buckets

  • Will fail — the auditor will write this up as a non-conformity
  • At risk — the auditor will probe further and may issue an observation
  • Ready — evidence is in place and will pass the check

The overview

Open the Audit punch list tab. The header shows the overall readiness percentage (N / 34 ready) and three export actions: Export CSV for the full finding list, Export Excel for a branded .xlsx workbook, and CAB share link to send auditors a read-only view.

Under that, three bucket cards show the headline count — Will fail, At risk, Ready. Inside each bucket, controls are grouped by failure mode (why they would fail), not by control family.

Audit punch list overview showing the readiness KPI at the top with Export CSV, Export Excel, and CAB share link buttons, the three bucket cards (Will fail 34, At risk 0, Ready 0), and the No evidence group with KEY-tagged findings for DE.AE-03.1, DE.CM-01.2, ID.AM-08.2 and other controls
Buckets at the top, failure-mode groups below. KEY badges flag the high-priority controls auditors weigh heaviest.

Failure modes explained

Instead of a green/red checkbox, every finding is labelled with the reason it would fail. Each reason has one prescriptive action button — click and you land exactly where you need to fix it.

Failure mode What it means Action button
No evidence Nothing is attached to this control yet Upload evidence
Wrong type Evidence exists but is the wrong kind (e.g. policy where a config snapshot is required) Fix artifact type
Insufficient scope Evidence covers some entities but not the declared population Confirm population scope
Stale Evidence is past its validity window Refresh evidence
Population gap Integration coverage is lower than the declared estate (e.g. Graph sees 12 devices, you declared 83) Reconcile integration

Click any finding to expand it. The expanded row lists the specific evidence that is missing, a short hint, and the action button.

Expanded finding for DE.AE-03.1 showing two missing-evidence bullets (SIEM configuration, correlated alerts sample), the hint Attach a policy config snapshot or log to this control, and a blue Upload evidence button
One prescriptive action per finding. No ambiguity about the next step.

Key measures

Controls tagged KEY are the ones a CAB auditor weighs heaviest. In CyFun, these are the measures linked to major risks (ransomware, data loss, unauthorised access). The Will-fail bucket calls these out at the top of the list — fix them first to move the needle.

Driven by your assessment

Every finding on the punch list comes from the Intake assessment. If you answer a control Partially or No — or leave it unanswered — it shows up here with the exact failure mode and the evidence that would close it. Change an answer in Intake and the punch list updates immediately.

Exports and auditor access

Export CSV produces a row per finding — control ID, bucket, failure mode, missing-evidence list, KEY flag — ready to paste into a tracker or attach to a management report.

Export Excel produces a native .xlsx workbook with two sheets: a Summary (totals per bucket + per failure mode) and a filterable Findings sheet with frozen headers. Use this when sharing with a CAB auditor or pasting into a management report template.

CAB share link generates a read-only URL you can send to an external auditor. The auditor sees the same punch list and findings but cannot change anything. Revoke it from Settings when the audit is done.

Before sending the link

Confirm your Declared estate in Settings first. Population gaps are only flagged when the platform knows how many devices, users, and so on you actually have.

Continue with

Attach evidence

Upload the right artifact type to close a finding

Export a report

Generate a branded PDF of your readiness status
TARS